Checking how your ISMS is performing.
Contents
Monitoring & Review Phase of ISO 27001
Monitoring & Review Phase of ISO 27001 Implementation
The Monitoring & Review phase of ISO 27001 implementation focuses on continuously evaluating the ISMS to ensure its effectiveness and alignment with organisational objectives.
This phase involves regular monitoring, measurement, and auditing activities to identify areas for improvement and ensure compliance with the established policies and controls.
High-Level Summary of the Monitoring & Review Phase
The Monitoring & Review phase includes the following key steps:
1. Monitor & Measure ISMS Performance
2. Management Review
3. Internal Audits
The Quality Cycle
The PDCA (Plan-Do-Check-Act) cycle is a continuous improvement methodology that involves four key stages: planning an objective and the necessary processes, implementing the plan, monitoring and evaluating the results, and acting on the findings to make necessary adjustments.
The cycle ensures that processes are continually reviewed and improved over time.
In the context of ISO 27001, the PDCA cycle is integral to implementing and maintaining your Information Security Management System (ISMS).
It helps systematically manage and improve their information security practices by ensuring that security policies and controls are planned, implemented, monitored, and continuously enhanced.
The reason I’m mentioning it is that it’s a very commonly understood model in business, but underpins the latter stages of the ISO 27001 implementation; specifically the “Check” – “Act” part as the “Monitoring & Review” of Clause 9, and the “Improvement” requirements of Clause 10.
Monitor & Measure ISMS Performance
Overview
Regular monitoring and measurement of the ISMS performance is needed to ensure that the system meets its objectives and operates effectively.
Activities involve tracking specific metrics and indicators to identify trends, deviations, and areas needing attention.
Implementation Steps
Define Metrics and Indicators
Identify key performance indicators (KPIs) that align with the ISMS objectives. Examples of KPIs include the number of security incidents, incident response times, compliance levels, user awareness scores, and the effectiveness of implemented controls.
Ensure that the selected metrics are measurable, relevant, and provide a clear picture of the ISMS performance.
Determine the frequency of monitoring activities based on the criticality of the metrics. Daily, weekly, monthly, or quarterly checks can be implemented depending on the specific needs of the organisation.
Assign responsibilities for monitoring activities to ensure consistency and accountability.
Utilise automated tools for logging and analyzing security events, such as Security Information and Event Management (SIEM) systems.
Incorporate manual data collection methods where automation is not feasible. This may include surveys, interviews, and physical inspections.
Tips
Keep it simple to begin with. You can always add things in at a later date. Maybe even choose the top 5 metrics that would really make a difference when you are starting your ISMS.
The temptation can be to measure and report on everything. I refer back to the previous point about keeping it simple, and only metrics / KPIs that can be acted upon.
Don’t get too operationally focused. Look for trends and anything that might indicate if processes are working well, or otherwise.
Compile Performance Reports
Aggregate the collected data into comprehensive performance reports. These reports should highlight key findings, trends, deviations, and areas requiring attention.
Use visual aids like charts and graphs to enhance the clarity and impact of the reports.
Conduct Regular Reviews and Analysis
Regularly review the performance reports with relevant stakeholders, including ISMS managers and senior management.
Analyze the data to assess the ISMS's effectiveness, identify any areas needing improvement, and determine the root causes of any deviations.
Implement Corrective Actions:
Develop and implement corrective actions to address identified issues. This could involve updating policies, improving controls, or providing additional training.
Track the implementation and effectiveness of corrective actions to ensure that they achieve the desired outcomes.
Management Review
Overview
Periodic management reviews are essential for assessing the overall performance of the ISMS and a requirement of clause 9.3.
Reviews provide an opportunity for senior management to evaluate the system's effectiveness, ensure it remains aligned with organizational objectives, and make strategic decisions. Management reviews also help in ensuring the continual improvement of the ISMS.
Implementation Steps
Schedule Reviews
Plan regular management review meetings, typically on a quarterly or semi-annual basis, to maintain a consistent review cycle. However, ISO 27001 doesn’t specifically say what the minimum is.
Ensure that all relevant stakeholders, including senior management, ISMS managers, and key department heads, are invited to the review meetings.
Prepare Review Agenda
Develop a comprehensive agenda for each management review meeting. The agenda should cover:
Performance metrics and key performance indicators (KPIs).
Results of internal audits and previous management reviews.
Status of corrective and preventive actions.
Results of risk assessments and risk treatment plans.
Feedback from interested parties, including employees, customers, and regulatory bodies.
Any changes in external and internal issues that may impact the ISMS.
Opportunities for continual improvement.
Conduct Reviews
During the review meetings, discuss each agenda item in detail. Evaluate the ISMS's performance, considering any significant changes in the organizational context or the scope of the ISMS.
Assess the adequacy of resources allocated for the ISMS and determine if additional resources are required.
Review the effectiveness of the ISMS in achieving its objectives and meeting compliance requirements.
Document Minutes
Document the minutes of each management review meeting. Ensure that all decisions made, action items assigned, and any adjustments to the ISMS are clearly recorded. You’ll need to evidence these in any audit you go through.
Distribute the minutes to all relevant stakeholders and ensure that they are archived for future reference.
Follow-Up on Action Items
Ensure that all action items from the review meetings are followed up and completed. Assign responsibilities and set deadlines for each action item.
Monitor the progress of action items and provide regular updates during subsequent management review meetings.
Internal Audits
Overview
Internal audits are a requirement under section 9.2.2 of ISO 27001:2022, and therefore a critical component of the Monitoring & Review phase.
These audits assess the ISMS's compliance with ISO 27001 requirements and organizational policies. Internal audits help identify non-conformities, areas for improvement, and ensure that the ISMS is effectively implemented and maintained.
Implementation Steps
Audit Planning
Develop an internal audit plan that covers all aspects of the ISMS. This plan should detail the audit scope, objectives, schedule, and audit criteria.
Because of the scope of 27001, and the controls in Annex A, I’d strongly recommend breaking your audit into parts, maybe focusing on one clause or control set every month. Little and often has been a better approach in my experience. It’s certainly better than rushing it 2 days before your external audit. They know.
Ensure that the audit plan is approved by senior management and communicated to all relevant stakeholders.
Assign Auditors
Select auditors with the necessary skills, knowledge, and independence to conduct the audits. Auditors should be impartial and not responsible for the areas they are auditing.
Provide auditors with adequate training on ISO 27001 requirements and internal audit procedures.
Conduct Audits
Perform the internal audits according to the audit plan. Use a systematic approach to evaluate the ISMS's compliance, including reviewing documentation, interviewing staff, and inspecting processes and controls.
Focus on key areas such as risk assessment and treatment, control implementation, incident response, and continuous improvement.
Document Findings
Document all audit findings in an audit report. Highlight any non-conformities, observations, and recommendations for improvement.
Ensure that the audit report is clear, concise, and provides actionable insights for the ISMS managers and senior management.
Findings tend to come in two manners;
Nonconformance – something that is outright noncompliance to the ISO standard or your own ISMS policies and procedures.
Opportunities for Improvement – Whereby you recognise something isn’t working as well as you’d like and could do with a little attention.
Develop & Implement Corrective Actions
Based on the audit findings, develop corrective actions to address identified non-conformities and areas for improvement.
Ensure that corrective actions are specific, measurable, achievable, relevant, and time-bound (SMART).
Assign responsibilities for implementing corrective actions and set deadlines for completion.
Track the progress of corrective actions and ensure that they are effectively implemented.
Alignment with ISO 27001:2022 Clause 7
Clause 7 of ISO 27001:2022 focuses on the support needed for the establishment, implementation, maintenance, and continual improvement of the Information Security Management System (ISMS).
The Monitoring & Review phase supports that through various activities that ensure the ISMS is well-supported and continuously improved.
Resources (Clause 7.1)
The Monitoring & Review phase ensures that adequate resources are allocated and utilized efficiently for maintaining the ISMS. This includes both human and technical resources necessary for monitoring, measuring, and reviewing ISMS performance.
Regular Monitoring and Measurement Reporting: Ensures resources such as SIEM systems, monitoring tools, and skilled personnel are in place for effective performance tracking.
Management Review Meetings: We’ve created reviews and allocated time and personnel to assess resource needs and make adjustments as necessary.
Internal Audits Plans & Results: We have determined our approach and resources to internal auditors and identified any gaps or areas for improvement.
Competence (Clause 7.2)
Ensuring that personnel involved in the ISMS have the necessary competence is critical. The Monitoring & Review phase involves continuous evaluation and improvement of staff skills and knowledge.
Training and Awareness Programs: Conducted regular training sessions to keep staff updated on the latest security practices and standards.
Audit Findings and Corrective Actions: Used the audit results to identify training needs and provide targeted training to address gaps in competence.
Awareness (Clause 7.3)
Maintaining awareness about the ISMS among all employees is vital for its success.
The Monitoring & Review phase includes activities that promote ongoing awareness and understanding of information security responsibilities.
Performance Reports: We will regularly communicate ISMS performance metrics and audit findings to all relevant stakeholders.
Management Reviews: Discuss ISMS performance and improvements in management review meetings, ensuring top-level awareness and commitment.
Incident Reporting and Response: Encourage employees to report security incidents and participate in response activities to maintain high awareness levels.
Communication (Clause 7.4)
Effective communication is necessary to ensure that all stakeholders are informed and engaged with the ISMS. The Monitoring & Review phase emphasizes clear and consistent communication practices.
Management Review Meetings: Provided a platform for discussing ISMS performance and disseminating information to senior management.
Audit Reports: Documented and shared audit findings and corrective actions with relevant stakeholders to ensure transparency and accountability.
Regular Updates: Created a communication plan using various channels (e.g., newsletters, emails, meetings) to keep all employees informed about ISMS developments and changes.
Documented Information (Clause 7.5)
Maintaining proper documentation is crucial for the effective management of the ISMS. The Monitoring & Review phase ensures that all necessary documentation is created, updated, and controlled.
Audit Documentation: Maintained detailed records of audit plans, findings, and corrective actions.
Management Review Minutes: Documented the minutes of management review meetings, including decisions made and action items assigned.
Performance Reports: Compiled and archive regular performance reports to provide a historical record of ISMS performance.
Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.
Comments